Thales Alenia Space, 100 bd du Midi - BP 99 06156 Cannes la Bocca Cedex France {firstName.lastName}@thalesaleniaspace.com Phone : +33 (0)4 92 92 66 79 Fax : +33 (0)4 92 92 69 70 that the concerned industries put their efforts into the definition of better engineering practices. This paper gives an overview of Gene-Auto, an ITEA European project that addresses the issues identified above. The concrete objective of Gene-Auto is to develop an automatic and qualified C code generator from mathematical functional models created with Matlab-Simulink and Scilab-Scicos. Such models are currently used during system design and they are the basis for software development. The paper is structured as follows. Section 2 presents the context and the rationale of the Gene-Auto project. Section 3 gives an overview of the project, emphasising its main objectives and its organization in terms of work packages and workflow. Section 4 focuses on the code generator while Section 5 highlights the validation work carried out by ASTRIUM Satellites and Thales Alenia Space. Section 6 concludes the paper. 2. CONTEXT AND RATIONALE

ABSTRACT This paper gives an overview of the Gene-Auto ITEA European project, which aims at building a qualified C code generator from mathematical models under Matlab-Simulink and Scilab-Scicos. The project is driven by major European industry partners, active in the real-time embedded systems domains. The GeneAuto code generator will significantly improve the current development processes in such domains by shortening the time to market and by guaranteeing the quality of the generated code through the use of formal methods. The first version of the Gene-Auto code generator has already been released and has gone thought a validation phase on real-life case studies defined by each project partner. The validation results are taken into account in the implementation of the second version of the code generator. The partners aim at introducing the Gene-Auto results into industrial development by 2010.

1.

INTRODUCTION

The development of real-time embedded systems, such as those of automotive and aerospace domains, faces increasing constraints, in particular related to higher system complexity and shorter time to market. Such conflicting requirements are the origin of significant efforts from industry towards the improvement of the current development processes. In the space industry, increasing complexity is due to increasing functional requirements as well as related to autonomy, performance and dependability. This complexity maps to a growing number of software functions that must be thoroughly tested. In addition, the system must be designed to favour maintainability during system operation. On the other hand, reducing the cost and the time to market is mandatory for obvious competitiveness reasons. In this context, it is imperative

Commercial code generators from Matlab-Simulink do exist (e.g., Real-Time Workshop & Real-Time Workshop Embedded Coder from Mathworks [1] and TargetLink from DSpace [2]). Also, INRIA provides a code generator for Scilab-Scicos [3]. However, the partners experience showed that a small change in the input model may lead to unpredictable changes in the generated code, which make the generated code difficult to certify. In addition, the existing code generators are hard to tailor for specific needs of one domain, which hampers productivity. The Gene-Auto code generator is meant to answer these problems and is expected to offer major advantages: 1) Reduced development time for the concerned industries (aerospace and automotive) by shortening the coding and testing phases in the development process, 2) Increased code quality and reduced need of low-level validation and testing, as the transformation from model to code is proven to be correct by means of modern formal verification techniques,

3) Complete control over the maintenance of the code generator which will be open-source. This is an essential aspect for industries where the product lifetime is very long, which is the case in the aerospace domain. Related work is carried out in a significant number of collaborative projects, involving industry and academia, that focus on defining and putting into practice effective model-driven engineering processes based on using modern modelling languages and automatic transformations from models to models and from models to code. Such projects are ASSERT [4], ModelWare [5], Neptune [6], Spices [7] and TopCased [8]. In the future, Gene-Auto is expected to be integrated with the TopCased open-source development environment. 3. PROJECT OVERVIEW

The Gene-Auto project started in January 2006. It is led by Continental Automotive (formerly Siemens VDO) and gathers partners from aerospace and automotive domains (Airbus France, ASTRIUM Satellites, Thales Alenia Space, Barco, Israel Aircraft Industries and Continental Automotive France), as well as leading research institutes (Institut National Polytechnique de Toulouse, Tallinn University of Technology and INRIA) and companies with extensive experience in tool development (IB Krates and CRIL Technology). Three major results are expected from this project: 1) Joint user requirements for the code generator. Partners from different application domains use different modelling rules for their systems. Thus, the techniques and input formats supported by the code generator must be completely agreed upon.

2) An approach and subsequent tools allowing the use of formal verification and validation techniques together with the code generator. 3) A code generator prototype able to generate certified software in C language based on the joint user requirements. The code generator must also be able to perform code optimization. The work is structured into six work packages: - WP1 is in charge of defining the user requirements. Even if all partners focus on real-time systems, they do have different requirements, set by their specific application domain. Thus, it is mandatory to reach an agreement on a joint set of user requirements. - WP2 focuses on the development of the code generator and on its validation and verification. - WP3 develops full-scale case studies, specific to each partner, to be used for testing and validating the code generator. - WP4 is in charge of the code generator validation effort, based on the case studies defined in WP3. The correctness and efficiency of the generated code are evaluated by comparison with the hand-made code or with code generated with commercial toolsets for each case study. - WP5 deals with the research activities in the field of formal methods for validation and verification of the code generator. The verification of the conformance of the generated code with the original mathematical model is of particular importance. - WP6 is meant to set up guidelines for the qualification of the code generator. Figure 1 shows an overview of the Gene-Auto project with the interactions between the work packages.

Figure 1. Project Overview

The user requirements impact the development of the code generator, as well as the definition of the case studies, the formal methods to be used and qualification activities. The validation activities are based on the code generator prototype and on the case studies. Its results are used for the preparation of the toolset qualification. The quality requirements and the selected formal methods are fed into the code generator development. 4. THE CODE GENERATOR

The Gene-Auto toolset converts different types of models into imperative programming language. The model types supported are: - Data-flow models (Simulink and Scicos) - State models (Stateflow diagrams) The imported models are converted to program code. The code generator architecture has been designed to be, as much as possible, independent from the target programming language. Thus, even though the C language has been selected within the Gene-Auto project, it is possible to target a different language (e;g., Ada) with a minimum amount of development effort. The Gene-Auto code generator is formed of an imperative part and a user-configurable part. The userconfigurable part allows users to define the code to be generated for Simulink/Scicos blocks that have not been selected in the joint user requirements to be supported by the Gene-Auto prototype. 50 blocks are included in the standard Gene-Auto library. The toolset uses two intermediate languages: - GAModel is a representation of the modelled system in terms of data flow and state chart models (e.g., in terms of blocks, signals, ports, charts, states). - GACodeModel is a representation of the modelled system in terms of imperative programming languages (e.g., in terms of variables, functions, expressions, statements). Figure 2 shows an overview of the interactions between the languages and models used by Gene-Auto. As shown in the figure, all imported models (from Simulink, Scicos and Stateflow) are converted to GAModel. The latter is refined by a sequence of steps (typing, scheduling, clock calculus, enable port calculus, memory model inference). The refined GAModel is finally transformed to GACodeModel. An optional optimisation step can be performed based on the GACodeModel. The final transformation step produces program code in target language (which is C language in the projects context). Figure 2 also shows the possibilities of extension of the toolset, either by adding an importer to GAModel from another input modelling language or by adding an exporter from GACodeModel to another imperative programming language (e.g., Ada could be considered for the space domain).

Figure 2. Gene-Auto languages and models The Gene-Auto toolset is modular, i.e., it is formed of a set of elementary tools. An elementary tool implements a well-identified function and can be used independently through its own command-line interface. In order to have loose coupling between the elementary tools, data is exchanged through files. The Gene-Auto elementary tools are based on four kinds of components: 1) Model importers allow importing source model from its native format and convert it to the Gene-Auto model. All information necessary for further steps is imported. The original model is no longer used. 2) Model transformers perform specific transformation steps on an imported model. The final transformation targets language code. 3) Model verifiers check correctness of each transformation step. 4) Model serializers associated with each intermediary model format (Gene-Auto model and Gene-Auto code model) ensuring it is possible to export the model to a file between any transformation steps. Figure 3 shows the workflow of the code generator. The input model is parsed and an intermediary GAModel is built based on the dataflow. The order of execution of blocks is identified and data types associated to signals are resolved before building the GACodeModel from which C code is generated. The first version of the Gene-Auto code generator prototype has been implemented based on the definition of the user requirements within the project. This first version has been released in July 2007. The toolset is formed of two separate packages, generating code respectively from Simulink/Scicos block diagrams and Stateflow models. The code generator for Simulink/Scicos is developed in Java programming language while the one for Stateflow is developed in Haskell. The first release of the Gene-Auto toolset covers much of the modelling semantics selected within Gene-Auto based on user experience.

Simulink and SF code generated

SF code generated

Figure 3. Workflow of Gene-Auto Code Generator A second release of the Gene-Auto prototype is planned for mid-2008. To favour the integration of the two packages, this second release will be entirely developed in Java language. As stated in Section 3, one of the aims of the Gene-Auto project is to define an approach and subsequent tools to build and qualify code generation tools using formal methods. After a comparison of suitable technologies for verification and validation of code generators [9], proof assistants have been selected for use within the Gene-Auto project. Proof assistants are used for building both specifications and proof of properties about specifications that are correct by construction. The Coq proof assistant [10] is currently used for building alternative implementations to the classical Java ones for some of the Gene-Auto elementary tools (i.e., the block sequencer and the typer). Coq allows building proofs in an interactive way and extracts functional programs (in Objective CaML, Haskell or Scheme) from the proofs of their specifications. At the end of the project, the full set of elementary tools will implemented in Java language and verified by classical testing. In addition, the block sequencer will have a Coq-proven alternative implementation. The sequencer is in charge of computing the execution order of functions generated from model blocks, according to the model semantics. By choosing an appropriate launcher, the Gene-Auto user will have the choice of executing either the full Java implementation or the implementation with COQ-proven components. 5. CURRENT VALIDATION STATUS FOR THE SPACE DOMAIN Partners have carried out validation activities for the first version of the code generator, based on full-scale case studies. A second iteration of these activities will be performed on the second version of the prototype (to be released mid-2008). The remainder of this section is structured as follows. Subsection 5.1 gives an overview of the case studies used by ASTRIUM Satellites and Thales Alenia Space in the validation activities. Subsection 5.2 presents the model adaptations necessary to comply with the Gene-Auto modelling rules and restrictions. Subsection 5.3 summarizes the preliminary validation results.

5.1

Case studies

Nine full-scale case studies are used by the Gene-Auto consortium for validation experiments. In this paper, we only focus on the case studies proposed by the space industry partners (i.e., ASTRIUM Satellites and Thales Alenia Space). ASTRIUM Satellites and Thales Alenia Space have used real-life case studies and thus focused their validation activities on the code generator from Matlab-Simulink and Stateflow, as these models are currently widely-spread in the industrial development cycles. The validation activities carried out at ASTRIUM Satellites have been based on the Pleiades HighResolution project that is an Earth observation spacecraft currently developed for the French Space Agency (CNES). The experiment focused on the attitude and orbit control software (AOCS) subsystem. The AOCS subsystem has already been modelled under Matlab-Simulink. However, the existing models are not used in the Pleiades High-Resolution project for software code generation. Simulink is used for modelling AOCS control laws but is unsatisfactory for designing mode management. Thus, Stateflow is used for modelling AOCS mode manager automata which are integrated into Simulink models. Within the context of an internal study, these AOCS models have been refined to allow the use of Real-Time Workshop and TargetLink code generators. Code is automatically generated from this hybrid model, which contains Stateflow diagrams and Simulink subsystems activated by the Stateflow mode management automata. Within Gene-Auto, a comparison between the originally handwritten code and the code generated with the Gene-Auto toolset has been performed. The code generated with the Gene-Auto toolset has been evaluated in terms of compilation, code size, code correctness and quality, traceability between model and code and tool customization. The validation activities carried out at Thales Alenia Space have been based on the AOCS subsystem called PACS (Precise Agile Control Systems). It can be used in missions like SPECTRA (Earth Exploration mission "Surface Processes and Ecosystem changes Though Response Analysis" aiming at studying the carbon life cycle). This model has been selected to be used within Gene-Auto because it had already been used in an internal trade-off study performed by Thales Alenia Space in 2005 on the automatic code generation tools. The PACS model is composed of 2 parts: the first one models the control algorithms using Matlab-Simulink and the second one models the mode management and the failure detection, isolation and recovery strategy (FDIR) using Stateflow. Code has been totally generated on PACS sub-models (the 3 AOCS modes and the Stateflow diagram have been automatically generated separately). The code has then been compiled as a library and integrated into the Thales Alenia Space

software mock-up [11]. Code has been written manually to associate Stateflow I/O data and automatically generated code from Matlab-Simulink. The code generated with the Gene-Auto toolset has been evaluated in terms of compilation/cross-compilation, code size and quality, integration with manually-written code, traceability between model and code and tool customization. 5.2 Validation

To achieve the code generation from the existing models, it has been necessary to customize them in order to comply with the Gene-Auto modelling rules and restrictions. The most important modifications are summarized below: - Block mask parameters have been removed (this feature is not implemented for the first release of Gene-Auto). - Name uniqueness had to be ensured in the entire model (Simulink allows using the same name for several blocks if they are located in different subsystems, while the first release of Gene-Auto requires name uniqueness in the entire model). - Unsupported blocks have been replaced by equivalent sets of blocks or have been added in a user defined backend library. - Bus selectors with no matching bus creators have been removed (i.e., bus selectors on systems input ports were removed, as GeneAuto requires pairs of bus selectors/creators). - Merge blocks have been removed, as some configurations with Merge blocks are not yet correctly handled by Gene-Auto. - The Matlab .m files had to be modified, as constants declared in an .m file must have explicit values (Matlab expressions are not supported by the first release of Gene-Auto). - Several FROM blocks were duplicated, as the first release of Gene-Auto does not allow connecting a FROM block to several subsystem inputs. - Function callers and function call targets have been brought to the same level (the first release of Gene-Auto does not support function call signals that cross subsystem boundaries). 5.3 Preliminary results

Standard gcc and gcc for ERC32 compilers have been used for compilation and cross-compilation. Minor issues have been identified with regards to code compilation. The cause of the problems has been identified and is related to the management of the interface between the Stateflow and Simulink code generators. The second release of the Gene-Auto toolset

will solve it, as the interface between the two code generators will be better mastered, the unique development language being Java. The size of the generated code seems to be comparable to that of the code written manually. The generated code is placed in twice as many files as the manually-written one. Indeed, the code generator creates by default one file for each subsystem, whereas the granularity is greater in the case of manually-written code. Code correctness has been assessed by cross reading or testing. A few bugs have been reported and fixed. Code quality has been evaluated by using commercial tools Logiscope and Rulechecker. The results are satisfactory. Traceability between model and code has been evaluated by cross reading and seems to be satisfactory, except for the fact that annotations that are present in the Simulink model are not propagated in the generated code as comments. This feature will be implemented in the second release of the Gene-Auto toolset. The structure of the code follows exactly the model: one file per subsystem, names of variables are translated in the code. The comments help the reader move between code and model during the development process. Tool customization experimentation focused on the definition of new library elements (typer/backend) for S-functions, unsupported primitive blocks and masked subsystems. The overall conclusion is that the GeneAuto extension mechanism is very convenient. Yet, it needs some improvements, especially with regards to parameter passing (not supported in the first release). From the functional point of view, it appears that the necessary Stateflow features are already supported. However, the users will most likely have to build domain-specific libraries to complete the standard block library for Simulink/Scicos (the 50 supported blocks may not be sufficient). Also, the first release of the Gene-Auto toolset does not support multi-frequency models. This feature is expected to be implemented in the second release. Obviously, the validation results influence the development of the second version of the Gene-Auto code generator prototype. With the current Gene-Auto version, the necessary effort to customize the models is too important. Thus, the second version of the toolset is to be improved in order to support additional MatlabSimulink features (e.g., mask parameter, parameter as structure, loosen the name uniqueness constraint). 6. CONCLUSION

software development phase consists in implementing these specifications in C language. In this context, the main goal of the Gene-Auto project is to improve the development process by allowing automatic and qualified code generation from such models. In this way, the coding phase is considerably shortened. Also, a change in the input model only implies re-generating the code. Currently, the first version of the Gene-Auto code generator has been released and the project partners have performed validation activities on it with respect to real-life case studies from aerospace and automotive domains. The results of the partners validation experiments are coherent and encouraging. The code has been compiled both on test and target environments. Partners are confident that the generated code with the second release of the Gene-Auto toolset will meet their requirements in terms of quality and readability. The partners aim at introducing the Gene-Auto results into industrial development by 2010. 7. ACKNOWLEDGEMENTS

This paper gave an overview of the Gene-Auto European project that aims at building a toolset prototype for the generation of certified C code from mathematical system models specified with MatlabSimulink/Stateflow and Scilab-Scicos. Such models are currently used during system design. Generally, the